A security research firm is warning that a new bug could allow a hacker to take over vast portions of a datacenter -- from within. The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter's network.
Most datacenters nowadays condense customers -- including major technology companies and smaller firms -- into virtualized machines, or multiple operating systems on one single server. Those virtualized systems are designed to share resources but remain as separate entities in the host hypervisor, which powers the virtual machines. A hacker can exploit this newly-discovered bug, known as "Venom" -- an acronym for "Virtualized Environment Neglected Operations Manipulation" -- to gain access to the entire hypervisor, as well as every network-connected device in that datacenter.
The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines -- including those owned by other people or companies.
The bug, found in open-source computer emulator QEMU, dates back to 2004. Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code. VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/
The Linux Foundation security advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
National Cyber Awareness System: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
(Score: 2, Funny) by VitalMoss on Thursday May 14 2015, @04:16PM
Man, the more of these bugs and exploits that come out with such clever acronyms, the more I'm convinced they were left there on purpose, if just so that they sound cool when they are discovered.
(Score: 3, Interesting) by canopic jug on Thursday May 14 2015, @04:30PM
When you see a bug + brand name + logo + lots of marketing, it is time to take a step back and look at the CVE to see what it is really about. In this case it is CVE-2015-3456 [nist.gov] and turns out to be more of a marketing campaign from CrowdStrike [techrights.org]. Every "Patch Tuesday", M$ release info about worse bugs yet none of them get their own brand name, logo, marketing or even their own host name/web site.
Aside from that, if you are using VMs for "security, you are doing it wrong.
Money is not free speech. Elections should not be auctions.
(Score: 5, Informative) by gnuman on Thursday May 14 2015, @04:40PM
Aside from that, if you are using VMs for "security, you are doing it wrong.
I think you don't know what VMs are. Their main purpose is isolation.
But I guess you can say this about anything "If you are using X for "security" you are doing it wrong", where you can put DNSSEC, IPSEC, TLS, SSH, network air gaps, (Intel,AMD,XYZ) CPUs etc. on any of them. Then when someone finds a vulnerability, you'll be vindicated, right?
(Score: 3, Funny) by Anonymous Coward on Thursday May 14 2015, @04:54PM
"If you are using X for "security" you are doing it wrong", where you can put DNSSEC, IPSEC, TLS, SSH, network air gaps, (Intel,AMD,XYZ) CPUs etc.
I noticed that you didn't include obscurity in your list. I guess that means I'm finally doing it right ;-)
(Score: 3, Funny) by Ryuugami on Thursday May 14 2015, @07:00PM
It's obscured in the "etc".
If a shit storm's on the horizon, it's good to know far enough ahead you can at least bring along an umbrella. - D.Weber
(Score: 2) by kaszz on Thursday May 14 2015, @07:37PM
Nor enumeration of bad things. ;-)
(Score: 4, Funny) by LoRdTAW on Thursday May 14 2015, @08:09PM
No, it's there. You just don't know it's there because the parent poster is hoping you won't find it.
(Score: 0) by Anonymous Coward on Thursday May 14 2015, @04:44PM
Are you suggesting that running software in a VM is not more secure than running it in the host OS? I've been thinking that for more dicey browsing I'd load up a browser in a vm to insulate infection risk from my host os.
(Score: 1, Insightful) by Anonymous Coward on Thursday May 14 2015, @09:56PM
while that particular use-case does give you more security, it does not apply to data-centers. in data-centers, the 'isolation' is really more of a safe-guard to keep one piece of software (non-virus) from interfering with the reliability of another. the 'security' of virtualization is just a happy accident. the real reason data-centers have gone virtual in droves is because it is extremely cheap and easy to maintain hundreds of servers that way. in other words, it is more convenient - thus, the security is a happy accident.
(Score: 0) by Anonymous Coward on Thursday May 14 2015, @10:00PM
another point i forgot to make:
if you have 10 servers and one gets hacked, it really doesn't matter if they are real or virtual. one bad apple can still spoil the whole bunch. therefore, VM != security.